Critical severity9.8NVD Advisory· Published Jun 8, 2023· Updated Jun 17, 2026
CVE-2023-29405
CVE-2023-29405
Description
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
40- osv-coords36 versionspkg:apk/chainguard/falcopkg:apk/chainguard/falco-devpkg:apk/chainguard/falco-srcpkg:apk/chainguard/kindpkg:apk/chainguard/policy-controllerpkg:apk/chainguard/policy-controller-testerpkg:apk/chainguard/policy-controller-webhookpkg:apk/wolfi/falcopkg:apk/wolfi/falco-devpkg:apk/wolfi/falco-srcpkg:apk/wolfi/kindpkg:apk/wolfi/policy-controllerpkg:apk/wolfi/policy-controller-testerpkg:apk/wolfi/policy-controller-webhookpkg:bitnami/golangpkg:rpm/almalinux/delvepkg:rpm/almalinux/golangpkg:rpm/almalinux/golang-binpkg:rpm/almalinux/golang-docspkg:rpm/almalinux/golang-miscpkg:rpm/almalinux/golang-racepkg:rpm/almalinux/golang-srcpkg:rpm/almalinux/golang-testspkg:rpm/almalinux/go-toolsetpkg:rpm/opensuse/go1.19&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/go1.19&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/go1.19&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/go1.20&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/go1.20&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/go1.20&distro=openSUSE%20Tumbleweedpkg:rpm/suse/go1.19&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4pkg:rpm/suse/go1.19&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5pkg:rpm/suse/go1.19&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3pkg:rpm/suse/go1.20&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4pkg:rpm/suse/go1.20&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5pkg:rpm/suse/go1.20&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3
< 0.37.1-r0+ 35 more
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.21.0-r0
- (no CPE)range: < 0.7.0-r4
- (no CPE)range: < 0.7.0-r4
- (no CPE)range: < 0.7.0-r4
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.21.0-r0
- (no CPE)range: < 0.7.0-r4
- (no CPE)range: < 0.7.0-r4
- (no CPE)range: < 0.7.0-r4
- (no CPE)range: < 1.19.10
- (no CPE)range: < 1.9.1-1.module_el8.8.0+3471+a62632a0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-150000.1.34.1
- (no CPE)range: < 1.19.10-150000.1.34.1
- (no CPE)range: < 1.19.10-1.1
- (no CPE)range: < 1.20.5-150000.1.14.1
- (no CPE)range: < 1.20.5-150000.1.14.1
- (no CPE)range: < 1.20.5-1.1
- (no CPE)range: < 1.19.10-150000.1.34.1
- (no CPE)range: < 1.19.10-150000.1.34.1
- (no CPE)range: < 1.19.10-150000.1.34.1
- (no CPE)range: < 1.20.5-150000.1.14.1
- (no CPE)range: < 1.20.5-150000.1.14.1
- (no CPE)range: < 1.20.5-150000.1.14.1
- Go toolchain/cmd/cgov5Range: 0
- Go toolchain/cmd/gov5Range: 0
Patches
Vulnerability mechanics
References
8- go.dev/cl/501224nvdPatch
- groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJnvdMailing ListThird Party Advisory
- pkg.go.dev/vuln/GO-2023-1842nvdVendor Advisory
- go.dev/issue/60306nvdIssue Tracking
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/nvdMailing List
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/nvd
- security.gentoo.org/glsa/202311-09nvd
- security.netapp.com/advisory/ntap-20241206-0003/nvd
News mentions
0No linked articles in our index yet.